LastPass Breach & Crypto Theft: 2022 Attacks Linked

Blockchain analytics firm TRM Labs has connected a wave of ongoing cryptocurrency thefts to a security breach at password manager LastPass that occurred in 2022. attackers are reportedly draining digital wallets months, even years, after the encrypted vaults were stolen, laundering the stolen funds through Russian cryptocurrency exchanges.

LastPass confirmed in 2022 that its systems had been compromised through a breach of a developer environment. The company stated that while customer vaults remained encrypted, attackers gained access to stored password data and potentially vault contents.Some of these vaults contained both stored credentials and sensitive cryptocurrency wallet private keys and seed phrases.

Cryptocurrency Theft Attacks Linked to LastPass Breach

The 2022 LastPass breach continues to impact cryptocurrency users, with attackers slowly decrypting stolen vaults and draining funds.

During the 2022 breach, LastPass maintained that its vaults were encrypted. However, the company warned that users with weak or reused master passwords were vulnerable to offline cracking, a tactic TRM Labs believes has been ongoing since the incident. “Depending on the length and complexity of your master password and iteration count setting, you may want to reset your master password,” LastPass cautioned at the time.

The United States Secret Service confirmed the link between the LastPass breaches and the cryptocurrency thefts last year, seizing over $23 million in crypto. The agency stated that attackers obtained private keys by decrypting vault data stolen during the password manager breach.Court filings indicated no evidence of device compromise through malware or phishing attacks.

TRM Labs’ report connects the ongoing crypto theft directly to the exploitation of encrypted LastPass vaults stolen in 2022.Unlike a rapid, immediate drain of wallets, the thefts have unfolded in waves, occurring months or years after the initial breach. Attackers have been gradually decrypting vaults and extracting stored credentials, draining wallets using consistent transaction methods.

TRM Labs noted that the attackers possessed the private keys prior to the thefts. “The linkage in the report is not based on direct attribution to individual LastPass accounts,but on correlating downstream on-chain activity with the known impact pattern of the 2022 breach,” TRM explained. The firm observed a pattern where wallet activity occurred long after the breach, rather than immediately following it.

TRM Labs Highlights the Use of Wasabi’s CoinJoin Feature

The research initially stemmed from a small number of reports, including submissions to Chainabuse, where users identified the LastPass breach as the source of their stolen wallets.Researchers expanded their investigation, identifying similar cryptocurrency transaction behaviors across multiple cases, ultimately linking them to the data theft campaign.

TRM Labs also discovered that attackers were using Wasabi Wallet’s CoinJoin feature to obscure their tracks. CoinJoin is a Bitcoin privacy technique that combines multiple users’ transactions into a single transaction, making it more difficult to trace the flow of funds. The feature obfuscates transactions without relying on a conventional mixing service.

After draining wallets, hackers typically convert stolen assets to Bitcoin, route them through Wasabi Wallet, and attempt to conceal their activity using the CoinJoin feature. Though, TRM Labs was able to “demix” the Bitcoin sent through CoinJoin by analyzing behavioral characteristics, such as transaction structure, timing, and wallet configuration choices. They were also able to correlate deposits with withdrawal patterns consistent with the crypto thefts.